Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: New Variant of "FAKE" Security Essentials to be aware of!

30 Mar 2012   #1
Night Hawk

W7 Ultimate x64/W10 Pro x64 dual boot main build-remote pc W10 Pro x64 Insider Preview/W7 Pro x64
New Variant of "FAKE" Security Essentials to be aware of!

Some of you may remember the 2010 version of the fake Microsoft Security Essentials. In the last a totally new Aero styled twist to the previously known "protector.exe" trojan dropper that saw the fake SE or Windows Doctor scamware placed on your system has a new cousin to watch out for!

This latest malware will easily slip past any effect web guard as well as just about any av program! The user will unwittingly expose themselves to this by whatever form disguishes it to begin with.

The now called "protector-xfg.exe" trojan dropper downloads several trojans along with a fake "Security Essentials - Windows Defender". Note when trying to bring up the taskmanager to find out what process is new to end it you will find the SE along with a "Windows Process Manager" which basically takes over the taskmanager entirely preventing the disable of the scamware as well as the protector-xfg.exe trojan dropper.

Removal is basic as far as the main exe file by booting into safe mode to manually delete the file found under the user account sub folders once you have opened the file location. Here on one infected 7 laptop the protector-xfg.exe bug was first moved into a temp folder out from the user account while still being active prior to the reboot into safe mode.

With the VIPRE AV Home Premium version of that software installed and having removed several trojans already the fake SE still continued to indicate they were present risks. The obvious design of the malware was to point to already known about bugs in order to get people to buy the fake SE!

Unfortunately the laptop needed charging the first time it was looked at and the followup scan by VIPRE however revealed the quaranteened and then removed trojans as well as Fake SE seen as the last item in the scan results here.

The fake SE is dark almost black background in color with the look of any more recent software with the Aero style appearance with yellow and red coloring for text. That's quite a bit different in appearance from the 2010 version of a fake MS SE seen in the link above.

My System SpecsSystem Spec
01 Apr 2012   #2

Windows 7 Pro with SP1 32bit

Thanks for this info.
My System SpecsSystem Spec
01 Apr 2012   #3

Windows 10 64bit

great info nice to know for future possibilities of infections to warn others.
My System SpecsSystem Spec

01 Apr 2012   #4
Night Hawk

W7 Ultimate x64/W10 Pro x64 dual boot main build-remote pc W10 Pro x64 Insider Preview/W7 Pro x64

I only wish I could have grabbed a screen of how the fake scamware looked but was on someone else's laptop without a flash drive handy! The scamware looked too much like an updated form of the MS Security Essentials when prompting about 4 trojans it saw downloaded in the first place and when trying to bring up the taskmanager!

The taskmanager was obviously locked up first to prevent anyone from ending the protector-xfg.exe combo bug! Instead you saw the same fake SE screen only with two menu columns on the left one above the other with a "Windows Process Manager"! Or lock up of taskmanager!

The fake also pointed right at "C:\Program Files\Internet Explorer\iexplorer.exe" as a risk and designed to prevent any IE windows from staying open long enough to run any online security sweep or download a removal tool! This one was well written and aimed at forcing people to buy a non existent program!

Removal wasn't as hard IF you knew it was a fake to start with! While you wouldn't be able to takeownership over the protector-xfg.exe itself you could open two WE windows and see it moved out of the "C:\users\user account name\AppData\Roaming\" sub folder where this one was found into a temp folder.

The reboot in safe mode saw no events since the process was ended where that file was simply dragged into the Recycle Bin to say "bye bye!" to that one. The subsequent scan by VIPRE seen there was then able to remove the scam ware as well as the 4 trojans in one shot with no further traces of any of this found so far. IE is also running normally.

Just how the malware got on in the first place is another matter since the laptop was being borrowed by someone totally new with any pc! Namely a kid who lacks any actual experience besides a social network. The suspicion is that it wasn't from being on any site the firewall would have blocked.

The trial version for another av software as well as another browser were found installed without the owner's knowledge or permission being someone new with pcs as well. I think someone simply clicked on one too many links and ended up with... "THE BUG!"
My System SpecsSystem Spec

 New Variant of "FAKE" Security Essentials to be aware of!

Thread Tools

Similar help and support threads
Thread Forum
"Scan with Microsoft Security Essentials" - Add or Remove Context Menu
How to Add or Remove "Scan with Microsoft Security Essentials" from Context Menu in Windows When you have Microsoft Security Essentials (MSE) installed, it adds "Scan with Microsoft Security Essentials" to the context menu of files, folders, and drives by default to make it easier to scan them...
Move "Scan with Microsoft Security Essentials" to Shift+Right Click
Hi All. I recently moved from Avast to MSE and I was wondering if there was a way to shift the Scan with MSE context menu item to the Shift+Right Click menu instead. I did a little googling and tried the "extended" registry key but that didn't seem to work (unless I put it in the wrong place)....
Security Essentials can't remove/quarantine "Adware:Win32/FastSaveApp"
Hi there Each time I switch on my PC Security Essentials flags up an medium alert (status active) concerning a detected item - "Adware:Win32/FastSaveApp". I've applied the action "Quarantine" and "Remove", each time Security Essentials completes the operation and tells me to restart my PC. ...
System Security
"Microsoft Security Essentials OOBE" stopped (...) error 0xC000000D
Windows crashes on startup -- a freeze in the "Starting Windows" screen. The Event Viewer shows this recurring error: Administrative Event Viewer Error - Session "Microsoft Security Essentials OOBE" stopped due to the following error: 0xC000000D Searches give me this thread as the only one...
BSOD Help and Support

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 01:58.
Twitter Facebook Google+